Microprocessor arrangement for a vehicle-control system

ABSTRACT

A microprocessor configuration for a control system of a vehicle comprises a plurality of microprocessor systems ( 4,5,6 ) which are interconnected by bus systems ( 1,2,3 ) and include an anti-lock and/or traction slip control system and further control systems, which require complex computing operations, as well as an input signal conditioning system (SC). For the purpose of error detection one part of the data processing is performed “symmetrically” redundantly in a plurality of microprocessor systems and another part of the data processing is additionally performed (“asymmetrically” redundantly) in accordance with simplified algorithms. 
     Two like master microprocessor systems ( 5,6 ) are provided which serve the symmetrically redundant data processing. The input signal conditioning and the processing in accordance with simplified algorithms are installed in a third microprocessor system ( 4 ). The output and/or intermediate results are compared for redundancy; moreover, the data processing performed in these microprocessor systems is each time compared and checked for plausibility with the results of the simplified data processing.

BACKGROUND OF THE INVENTION

This invention relates to a microprocessor configuration for controlsystems for vehicles that, for example, comprise inter alia anti-lockcontrol systems (ABS), traction slip control systems (Germanabbreviation ASR=TCS), systems for electronic control of the brakingforce distribution (German abbreviation: EBV=EBD) as well as for yawtorque control, and driving stability control systems (Germanabbreviation: GMR=YTC; FSR=DSC; and ASMS), etc.

A great number of such control systems and system variants is known.Nowadays, the importance of such systems is rapidly increasing in viewof the demand for higher safety standards and for more comfort.

It is also known to combine a plurality of control systems to form acompound system as the various functions are interactive and as parts ofdifferent control systems such as sensors, circuits for detecting andprocessing input control signals, monitoring systems etc. can be usedjointly.

Microcomputer structures of various types are used for solving complexarithmetical problems. From DE 32 34 637 C2, e.g., an anti-lock controlsystem has come to knowledge the control unit of which includes two ormore parallel-working microcontrollers for the generation of brakingpressure control signals. These microcontrollers process the same inputsignals in accordance with an identical computer program. The outputsignals and internal signals of the microcontroller are monitored forconcurrence in order to detect any malfunctions in either of the twocontrollers. Electronic control will be switched off if the signalsredundantly processed in the microcontrollers are differing from eachother. This is done in order to ensure that the braking function, evenif uncontrolled, will be kept up also if there comes up an error in theelectronic system.

Such a circuit configuration with so-called asymmetrical redundancy alsohas already come to knowledge from DE 41 37 124 A1. In this circuitconfiguration, the input signals of the control system, namely thesignals obtained by means of wheel sensors and representing therotational behavior, are fed to two parallel microcontrollers. Only oneof these two microcontrollers works through the full control programwhile the second microcontroller simulates the input information in asimplified form, processing it in accordance with simplified algorithms.By comparing the data processing results of the two microcontrollers forconcurrence or, at least, for plausibility it is possible to recognizemalfunctions or defects in the electronic system despite the simplifieddata processing.

Further, a microprocessor configuration of the type mentioned above isknown from DE 44 39 060 A1(P 7714), which includes a plurality ofmicroprocessor systems interconnected by bus systems. By means of thisconfiguration it is possible to carry out anti-lock control and tractionslip control as well as, at least, one further control functionrequiring complex computing operations, the monitoring functionsincluded. This known microprocessor configuration includes threemicroprocessor systems, with the individual functions being allocated tothese microprocessor systems so that the first microprocessor system,together with the second microprocessor system, takes over the ABS andASR (=TCS) functions, the monitoring of these functions included. Thethird microprocessor system, together with the second microprocessorsystem, carries out the further control function (GMR=YTC), whichrequires complex computing operations, and the monitoring thereof. Forthe purpose of monitoring, this configuration makes use of theasymmetrically redundant data processing (by means of differentcomputing processes or computer systems) or of the symmetricallyredundant data processing (by means of like computing processes orcomputer systems) in two microprocessor systems at a time.

A high-degree operational reliability is achieved by means of theinstallation, described in the aforementioned DE 44 39 060 A1, of thevarious functions in only three microprocessor systems, the redundantsignal processing included which serves monitoring purposes. If certainmalfunctions of one control component are detected it will moreover bepossible to switch off this component, only, while continuing othercontrol functions.

It is now an object of the present invention to develop a microprocessorconfiguration for a complex vehicle control system, comprising aplurality of control components, which enables an even better, moresensitive and more balanced allocation of the monitoring of individualcontrol functions or control systems with regard to safety demands orrather to the importance of these functions for the safety of thevehicle. What should be achieved in a way is the realization of abalanced safety concept.

SUMMARY OF THE INVENTION

It has been found out that this object can be achieved by amicroprocessor configuration the particular feature of which consists inthat two like master microprocessor systems are provided which are usedfor the redundant data processing; in that, further, the input signalconditioning and the processing in accordance with simplifiedalgorithms, i.e., on the basis of asymmetrical redundancy, are installedin a third microprocessor system; and in that, at last, the outputand/or intermediate results of the data processing taking place in themaster microprocessor systems are compared amongst each other forconcurrence and each time are compared with the output and/orintermediate results of the simplified data processing and are checkedwith these results for plausibility.

According to an advantageous embodiment it is expedient, in comparingand evaluating the redundantly processed data, to differentiate between“safety-critical” and “functionally essential” data or data which inview of safety are less critical. If there are any variations betweenthe redundantly processed safety-critical data the entire vehiclecontrol system will be switched off or, at least, the control systemsconcerned by the non-concurrent data will be put out of operation. Incase of variations between less sensitive, functionally important data,the defective master microprocessor system will be identified by meansof an individual comparison of the data of the two master microprocessorsystems with the results of the simplified data processing. Then, thecontrol functions will be continued completely or restrictedly by meansof the intact microprocessor system.

If there occur discrepancies between the data processing results of themaster microprocessor systems it will be possible to deactivate thesetwo processor systems one after the other whereupon, if afterdeactivation of the system the data processing results concur with theresult of the simplified data processing or rather are plausible, thecontrol functions will at least be continued restrictedly on the basisof the valid, intact master microprocessor system and on the basis ofthe monitoring for plausibility by the third microprocessor system. Ofcourse, only the essential data processing operations and controlfunctions will be continued, not the safety-critical ones.

On the other hand, it is also possible to design the circuitry so that,upon the occurrence of any discrepancies between the data processingresults of the master microprocessor systems, the data processingoperations and control functions are continued on the basis of theresults which are closer to the results established by the simplifieddata processing. Such a procedure, however, is not always expedientsince such an interpretation may lead to problems if there come upfortuitous results because of the malfunctions. It is therefore safer todeactivate the two master microprocessor systems one after the other, asmentioned above, and to thus find out which system is defective.

According to another example of an embodiment of this invention, it isprovided that, upon the occurrence of discrepancies between the dataprocessing results, certain control functions or system functions arecanceled in dependence on the extent of the variation or on the numberof non-concurrences per time unit, with again differentiating between“safety-critical” and, in terms of safety, “uncritical” controloperations and system functions.

Any further details, advantages and applications of this invention willbecome evident from the following description with reference to oneexample of an embodiment of this invention.

BRIEF DESCRIPTION OF THE DRAWING

The accompanying FIGURE is a simplified schematical representation ofthe fundamental structure of a microprocessor configuration according tothis invention.

DETAILED DESCRIPTION OF THE DRAWING

As can be seen in this representation, the inventive microprocessorconfiguration includes three microprocessor systems 4,5,6 (MP1, MP2, andMP3) interconnected by a bus system which in the represented example isa ring bus 1,2,3. It might also be possible to use a star-shaped businstead of the ring bus 1,2,3.

Referring to the illustration, “ES” symbolizes the input signals fed tothe microprocessor 4 (MP1) via a bus. In a vehicle control systemincluding ABS, ASR (=TCS), EBV (=EBD) etc., sensor signals representingthe rotational behavior of the individual vehicle wheels are fed asinput information to the first microprocessor system 4 (MP1). Additionalinformation on the yaw angle, yaw angle speed, steering angle, brakingpressure etc. is needed for a driving stability control (called GMR=YTC,FDR=DSC, or ASMS). This information is obtained by means of appropriatesensors or is established, as far as possible, by computation from theavailable information, in particular from the wheel sensor information.In the representation, these additional sensors and information aresymbolized by a sensor unit 7 which, in this example, includes a yawangle sensor G, a steering angle sensor LW, and a pressure sensor P. Inthis example, the output signal of sensor unit 7 is fed directlyparallel to the two microprocessor systems MP2 and MP3. In another(non-represented) example of an embodiment, the signal conditioning forthis information is likewise installed in the input microprocessorsystem 4 (MP1).

The inventive microprocessor configuration provides a redundant dataprocessing in two complete microprocessor systems 5,6 (MP2, MP3). In thepresent example, the microprocessor configuration serves anti-lockcontrol (ABS) as well as traction slip control (ASR=TCS), the control ofbraking force distribution (EBV=EBD) and driving stability control(ASMS=Automatic Stability Management System).

In the third microprocessor system MP1 realized by a simplified systemin contrast to MP2 and MP3, above all conditioning and processing of theinput signals (Signal Conditioning) take place. Moreover, themicroprocessor system includes “simulations” abs, asr, ebv (asms),namely of the control systems ABS, ASR, EBV, ASMS installed in the twoprocessor systems MP2 and MP3. “asms” was put in parentheses in MP1because, in a preferred example of an embodiment, this control systemwas for safety reasons exclusively monitored by symmetrical redundancy,not by a simulation with simplified algorithms. However, it is quitepossible to monitor, at least, some functions of the stability system(ASMS) by asymmetrical redundancy.

Symbolically represented in the illustration are moreover the redundancymembers or comparators 8, 9, and 10 essential for this invention. Incircuit 8, the final results and/or intermediate results of the twomaster microprocessor systems MP2 and MP3 are compared for concurrence.The monitoring is based on the so-called “symmetrical” redundancy. Ifthere occur discrepancies or rather if there is no complete concurrenceof the data processing results fed to the redundancy member 8 entirecontrol will be switched off if the data and the control or systemfunctions concerned are safety-critical. This is symbolized by a contact11 which will release the control system or switch it on, only, if thecompared signals completely concur.

By means of the comparators or redundancy members 9,10, the dataprocessing results (final and/or intermediate results) of the mastermicroprocessor systems 2,3 are moreover checked for concurrence orrather for plausibility with the data processing results obtained on thebasis of the simplified algorithms. The check of the results or ratherof the mode of operation of the microprocessor system MP2 takes place incomparator 9 while the microprocessor system MP3 is checked incomparator 10. The data line 13 represented by a broken line and leadingfrom circuit 12 to circuit (9,10) indicates that this plausibility checkonly applies to the functionally essential data, yet not to thesafety-critical data, nor to the safety-critical control or systemfunctions, respectively, of the master microprocessors 5,6 (MP2, MP3).Of course, there is a multitude of possibilities to differentiatebetween safety-critical and functionally essential or less criticalfunctions and to correspondingly balance the safety concept. Forinstance, the repeated occurrence of a malfunction which in itself isless critical can be considered a higher-degree safety risk and may thuslead to switching-off.

An advantageous example of an embodiment of this invention consists inthat, upon the occurrence of a functionally essential error which is notcritical in terms of safety, this error is localized via circuit 12 andthe comparators 9,10. To this end, the microprocessor systems MP2 andMP3 are deactivated one after the other. If now concurrence orplausibility of the data processing results is ascertained by comparator9 or 10 the control function will at least be continued for apredetermined period of time or up to a certain event such as the end ofthe current control cycle.

An example of a safety-critical function is the coming-on of the brakingoperation during driving stability control (ASMS).

An “unjustified braking intervention” is to be prevented for safetyreasons. If comparator 8 detects a discrepancy in such a case ASMS willbe put out of operation. Moreover, in this example, the error will belocalized by means of the third microprocessor system 4 (MP1) and an ABSbraking operation on the basis of the data computed by the intactmicroprocessor system MP2 and MP3 will be permitted if these data standup to a check on the basis of the simplified logarithm by means of themicroprocessor system MP1. This is one example out of a multitude ofexamples.

It is consequently possible to achieve a high safety level by means ofthe inventive microprocessor configuration. On the other hand, anyerrors that are critical to driving safety will lead to switching-off ofcontrol. In case of other, relatively uncritical malfunctions, it is onthe other hand ensured that control will be continued completely orrestrictedly, e.g., until a control operation is terminated. This“balancing” of the safety concept is a decisive advantage, especially soin complex control systems which combine very different controlfunctions.

What is claimed is:
 1. A microprocessor configuration for a controlsystem of a vehicle comprising a plurality of microprocessor systemswhich are interconnected by bus systems and include at least one memberof the group consisting of an anti-lock control system and a tractionslip control system, and at least one additional control system, whichrequires complex computing operations, as well as an input signalconditioning system, wherein, for the purpose of error detection, theconfiguration being capable of performing one part of the dataprocessing redundantly in a plurality of microprocessor systems insymmetrical redundancy and, additionally, one part of the dataprocessing in accordance with simplified algorithms in asymmetricalredundancy, wherein the microprocessor configuration includes two likemaster microprocessor systems which are assigned to the redundant dataprocessing; wherein a third microprocessor is adapted to perform theinput signal conditioning and the processing in accordance with thesimplified algorithms; and wherein the configuration is capable ofcomparing results of the data processing amongst each other forconcurrence and of comparing and checking these results, forplausibility with the respective results of the simplified dataprocessing.
 2. A microprocessor configuration as claimed in claim 1,wherein, in comparing and evaluating the redundantly processed data, theconfiguration is capable of distinguishing between safety-critical andfunctionally essential data.
 3. A microprocessor configuration asclaimed in claim 2, wherein the configuration includes a safety devicewhich, in case of discrepancies between the redundantly processedsafety-critical data, switches off at least the control systemsconcerned by non-concurrent data.
 4. A microprocessor configuration asclaimed in claim 2, which is capable of identifying, in case ofdiscrepancies between the functionally essential data, a defectivemaster microprocessor system by means of individual comparison of thedata of the two master microprocessor systems with the results of thesimplified data processing in the third microprocessor system, and ofcontinuing control functions, at least restrictedly, by means of theremaining intact master microprocessor system and by means of the thirdmicroprocessor system.
 5. A microprocessor configuration as claimed inclaim 4, which is capable of deactivating, one after the other, the twomaster microprocessor systems upon the occurrence of discrepanciesbetween the data processing results of the master microprocessor systemsand, if, after deactivation of one of the master microprocessor systems,the data processing results are plausible, of continuing controlfunctions, at least restrictedly, on the basis of the remaining valid,intact master microprocessor system and on the basis of monitoring forplausibility.
 6. A microprocessor configuration as claimed in claim 5,wherein the control functions being continued are only the functionallyessential data processing operations and control functions not thesafety-critical ones.
 7. A microprocessor configuration as claimed inclaim 4, wherein that master microprocessor systems is deemed the intactone whose results are closer to the results established by thesimplified data processing.
 8. A microprocessor configuration as claimedin claim 1, which is capable, upon the occurrence of discrepancies, ofcanceling certain control functions or system functions in dependence onthe extent or number of non-concurrences per time unit, withdifferentiating between safety-critical and uncritical, functionallyessential control functions and system functions.
 9. A microprocessorcontrol system of a vehicle, comprising: a first microprocessing systeminterconnected in symmetrical redundancy to a second microprocessingsystem for redundant data processing, said first and secondmicroprocessing systems each including a first control system utilizingcomplex computing operations and a second control system utilizingcomplex computing operations, said first control system being at leastone of an anti-lock control system and a traction slip control system; athird microprocessing control system interconnected to said first andsecond microprocessing control systems, said third microprocessingcontrol system adapted to perform input signal conditioning and signalprocessing utilizing simplified algorithms; wherein when saidmicroprocessor control system compares results of the data processingbetween the first, second and third microprocessing systems according topredetermined rules.
 10. The microprocessor control system of claim 9,wherein said predetermined rules distinguish between safety-critical andfunctionally essential data.
 11. The microprocessor control system ofclaim 10, further comprising a safety device that, upon determination ofa discrepancy between the safety-critical data, switches off at leastthe microprocessing system generating non-concurrent data.
 12. Themicroprocessor control system of claim 10, wherein upon determination ofa discrepancy between the functionally essential data, individualcomparison is made between the first and third microprocessing controlsystems and the second and third microprocessing control systems todetermine which of the first and second microprocessing systems isoutputting nominal functionally essential data, and continuing controlfunctions utilizing the nominally performing of the first and secondmicroprocessing systems and the third microprocessing system.
 13. Themicroprocessor control system of claim 12, wherein the nominallyperforming of the first and second microprocessing systems is outputtingdata having comparative results closer to the output of the thirdmicroprocessing system.
 14. The microprocessor control system of claim10, wherein upon determination of a discrepancy between the data outputby the first and second microprocessing control systems, both the firstand second microprocessing systems are deactivated one after the other,and wherein, following deactivation of the first and secondmicroprocessing systems, the output data of one of the first and secondmicroprocessing systems is determined by the predetermined rules to beplausible, control functions are continued, at least restrictedly,utilizing that microprocessing system and the third microprocessingsystem.
 15. The microprocessor control system of claim 14, wherein thecontinued control functions are non-safety-critical control functions.16. The microprocessor control system of claim 9, said thirdmicroprocessing system including a control system simulator.